BUILD: ssl: use OPENSSL_NO_OCSP to detect OCSP support

Since commit 656c5fa7e8 ("BUILD: ssl: disable OCSP when using boringssl) the OCSP code is bypassed when OPENSSL_IS_BORINGSSL is defined. The correct thing to do here is to use OPENSSL_NO_OCSP instead, which is defined for this exact purpose in openssl/opensslfeatures.h. This makes haproxy forward compatible if boringssl ever introduces full OCSP support with the additional benefit that it links fine against a OCSP-disabled openssl. Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
2024-12-27 23:22:09 +00:00 · 2014-12-09 16:32:51 +01:00 · 2014-12-09 16:32:51 +01:00 · e4e30f7d52
commit e4e30f7d52
parent f3d3482c98
3 changed files with 5 additions and 5 deletions
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@ -55,7 +55,7 @@ int ssl_sock_get_cert_used_sess(struct connection *conn);
 int ssl_sock_get_cert_used_conn(struct connection *conn);
 int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
 unsigned int ssl_sock_get_verify_result(struct connection *conn);
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
 #endif

--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@ -1795,7 +1795,7 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
 #ifdef USE_OPENSSL
 		else if (strcmp(args[1], "ssl") == 0) {
 			if (strcmp(args[2], "ocsp-response") == 0) {
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 				char *err = NULL;

 				/* Expect one parameter: the new response in base64 encoding */
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -44,7 +44,7 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 #include <openssl/ocsp.h>
 #endif

@ -113,7 +113,7 @@ static DH *local_dh_4096 = NULL;
 static DH *local_dh_8192 = NULL;
 #endif /* OPENSSL_NO_DH */

-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 struct certificate_ocsp {
 	struct ebmb_node key;
 	unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
@ -1283,7 +1283,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
 	}
 #endif

-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 	ret = ssl_sock_load_ocsp(ctx, path);
 	if (ret < 0) {
 		if (err)